Get in touch
7149056284
cfiruta@gmail.com
Call Us 7149056284

Data breaches and ID theft are still hitting records. Here's how to protect yourself.

January 26, 2024

2023 was a record-breaking year for data compromises – and that's not a good thing.

In its latest yearly report, the San Diego-based Identity Theft Resource Center said there were 3,205 data compromises in 2023, a 78% increase from 2022 and a new record, topping the previous all-time high of 1,860 set in 2021.


In 2023, there were also more than 353 million victims of ID theft, according to the center, a nonprofit organization that assists consumers when they have become victims and advocates for better protections for consumers and businesses. That's a decrease of 16% from 2022, which is consistent with a general trend of the number of victims dropping slightly each year "due to organized identity criminals focusing on specific information and identity-related fraud and scams rather than mass attacks," the organization said.

Start the day smarter. Get all the news you need in your inbox each morning.


Notifications of data breaches without information on the rise

The number of data breach notices without specific information such as what happened, what the company has done to correct it, or what steps have been taken to make sure the breach doesn't happen again has nearly doubled year over year, said James. E. Lee, Identity Theft Resource Center's Chief Operating Officer. In 2023, more than 1,400 public breach notices did not contain such information.


"That's a problem and that creates risk for other businesses who could be attacked in a similar fashion and consumers who need to know how to protect themselves," Lee said.

There is no federal law that requires companies that have had a data breach to notify their customers or consumers more broadly, Lee said. There is instead a patchwork of state laws and federal regulations, with different requirements, he said. For instance, there is a federal regulation that any publicly traded company that has a data breach must notify consumers, but only 11% of data breaches last year would have qualified, Lee said.

"Every state has a different definition of what is a breach. Every state has a different trigger for when you have to send a notice. Every state has a different requirement for what information you include and who has to be notified," he said. It took until 2018 to have all 50 states pass a data-breach law and they're all over the board, Lee said.


Many laws don't have penalties for the company that had its information lost or breached and allow that organization to determine its risk and if it needs to notify consumers, Lee said.

Generally speaking, where the company is located is where the state law controls the notification, regardless of where affected consumers live, he said.

"But that's one of those things that we need to update because data breaches, just like data criminals, don't recognize those little imaginary (state) lines," he said.

ID theft and taxes: IRS struggles to get tax refunds to nearly 500,000 victims of ID theft


Supply chain data attacks are on the rise

A growing target of data breach attacks by criminals is within a supply chain of a company and its sometimes smaller suppliers, Lee said.

"The criminals will attack a smaller organization that works for big companies," said Lee. Usually, those companies don't have as tight of security measures, but it still gets the criminals the bigger data they want, he said.

"For an identity criminal, that's Nirvana. I can pick one company and get the company that has hundreds if not thousands of companies (access to information)," Lee said.

Criminals are also ramping up what's called "zero-day attacks," which is an unknown flaw in a company's software to get in, Lee said. Even the guys who wrote the software don't know the flaw is there "and the bad guys find it," said Lee.


How do you protect yourself from data breaches or ID theft?

While there isn't a lot a consumer can do to prevent a company from becoming a data breach victim and therefore the consumer from becoming a target as well, Lee said there are ways consumers can protect themselves – especially before a data breach.

Here are some tips from the ID Theft Resource Center:


 Freeze your credit with all credit bureaus, as a protective measure. Find out how to freeze your credit and other tips at www.idtheftcenter.org

◾ Change your password and switch to a 12-plus character passphrase.

◾ Enable two-factor authentication (with an app, if possible) on your accounts.

◾ If you are offered a passkey option from a website or your phone, which is beyond a password and can be fingerprint or facial ID options, take them.

◾ Keep an eye out for phishing attempts that claim to be from the breached organization.

◾ Follow the advice on the data breach notice offered by the impacted company.

◾ Change the passwords of other accounts with the same password as the breached account.


Source: USA Today

Zero-day, supply-chain attacks drove data breach high for 2023

January 28, 2024
Zero-day exploits, supply chain attacks fuel 72% increase over previous record for incidents of compromise. Another increase is expected for 2024. 

“Mother of All Breaches” Data Leak Pulls Together 26 Billion Records From Thousands of Prior Breaches

January 26, 2024
In recent months, the appearance of the massive “Naz.API” dataset in public circulation raised fears of a monster “combo file” that would pull together searchable information from all prior data leaks. It now appears that the “Mother of All Breaches” (MOAB) already exists, discovered by security researchers in an internet-facing open instance kept by an unknown party. The 1.2 terabyte file is broken up into over 3,800 folders, each one representing a prior data leak that saw personal information or credentials make their way to the open internet. In total there are over 26 billion records. Because of the massive amount of information present, it is not yet entirely clear if the MOAB has never-seen-before data in its stores. Centralized data leak collection was inevitable. The discovery comes from security researcher Bob Dyachenko of SecurityDiscovery.com and Cybernews, which is hosting a searchable list of the included breaches at its website . However, it’s safe to assume that if a data leak took place in roughly the last 10 or 15 years you will find at least some of its contents in the MOAB. The sprawling archive contains an apparent combination of breaches of Tencent’s services that totals about 1.5 billion records, the 538 million Weibo leak that appeared on dark web forums in 2020, the 2016 leak of 316 million older Myspace passwords, the early 2023 leak of 281 million Twitter email addresses, and 251 million records from one of LinkedIn’s wave of breaches, among many other examples. “Combo files” that bring these sorts of data leaks together for criminal convenience are nothing new, dating back to the appearance of the “Collection” files on the dark web in 2019 (if not before). This is by far the largest one yet encountered, however, at almost 10 times the size of the prior record-holder. It was inevitable that someone would try to create a massive compendium of all of this illicit data floating around, but it remains unknown who was paying for the storage space for all of this and what their purpose was for it. The file does not appear to have been advertised on dark web forums or the usual gathering places for cyber criminals, but given that it was open to the internet it is unknown who else has accessed it. Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal , notes that cyber criminals will necessarily become more organized as more pressure is applied to them: “Personal data can remain vulnerable for years, highlighting the need for continuous monitoring and updating of security protocols. Additionally, this event highlights the evolving nature of cyber threats. Cybercriminals are becoming more sophisticated, taking advantage of advanced techniques to aggregate and analyze data from multiple sources. This calls for a proactive approach to cybersecurity, where strategies and defenses are regularly reviewed and updated in response to the ever-evolving threats. Finally, it’s crucial for organizations to prioritize data protection and invest in comprehensive cybersecurity strategies. This includes awareness training, secure password managers, security audits, robust encryption, and incident response plans. Collaboration and information sharing between cybersecurity experts are also crucial in combating large-scale cyber threats.” Growing data leak availability makes case for MFA, password managers. The complete impact of the MOAB data leak is still being assessed, and the number of unique records will likely come down as security researchers comb through it and find duplicate credentials or personal information entries. But as Naz.API demonstrated, it may also contain previously non-public stolen data. And in total, it will still likely stand as the biggest release of stolen digital information by far. At minimum, the collection likely means a near-term surge in credential stuffing attacks. Unlike the usual breach disclosure, the involved party here is likely a threat actor or data broker. It remains to be seen if the news will cause them to cut off access. If they do not, other threat actors will almost certainly follow the tracks (likely with something as simple as judicious use of SHODAN) to also obtain it. It may have already been found in this way prior to the public disclosure. The lone silver lining thus far appears to be that new information has not been found. The included data leaks have already gone public, some over a decade ago. But convenience will always attract more threat actors and perhaps entice them to pursue smaller targets they wouldn’t have otherwise bothered with. Doriel Abrahams, Principal Technologist for Forter , expands on the dangers that these mega-files present: “Although the common assumption with this leak is there’s nothing ‘new,’ this COMB is extremely beneficial for bad actors. Since they can leverage this data to validate whether users have similar or identical passwords across multiple platforms, they can attempt ATOs on other sites not part of the current leak. Knowing which platforms users frequent is a superpower for social engineering scammers. They can be more targeted and, ultimately, effective. While companies can always double down on information security, consumers should take this time to do their due diligence on the companies that have access to their data. To prevent ATO, consumers should ensure they’re using different passwords for each site. Ideally the passwords are completely different but even swapping out a character or two can make it a lot more difficult for bad actors. And always be vigilant when asked for information via email or phone.” And while a minority of the MOAB data leak entries contain plaintext passwords, Tony Anscombe (Global Security Evangelist at ESET ) notes that convenient compilations of contact and personal information also mean an inevitable uptick in crime attempts: “We should never underestimate what cybercriminals can achieve even with such limited information. Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response. This includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication. Many systems share platforms and are aggressively attempted with the latest attacks. Lots of networks rely heavily on updates, but when a vulnerability is located, it is a race against time to patch the issue before the data is compromised. Alternatively, attackers can often target a system and remain under the radar in stealth mode, monitoring activity and deciding on what and when to pounce.” Attempts of this sort will continue as long as password re-use remains common, and password reuse will remain common as long as people are expected to juggle an average of about 100 login credentials to navigate their modern life. Very recent studies present disheartening numbers: about 60% of people can still be expected to reuse passwords, around 15% will use one password for absolutely everything they do online, and even the majority of IT professionals will email a password in plaintext on occasion. Annual “Top 10” lists of most-used passwords also continue to be strewn with “123” variations and the words “qwerty” and “password” modified just enough to meet website character requirements. Source: Scott Ikeda, CPO Magazine
Share by: